this post was submitted on 05 Mar 2025
6 points (80.0% liked)

Arch Linux

8190 readers
35 users here now

The beloved lightweight distro

founded 5 years ago
MODERATORS
k_o_t@lemmy.ml
6
Safe to use a browser installed from AUR? (lemmy.sdf.org)
submitted 1 day ago by erici@lemmy.sdf.org to c/archlinux@lemmy.ml
10 comments fedilink hide all child comments
 

I'm thinking about switching to a Firefox fork as a web browser. Apart from Tor, they're all on AUR. I can't use Tor all the time.

Do you consider that a security risk that's worth worrying about? E.g. you could get a dodgy maintainer putting malware in it, as least theoretically.

you are viewing a single comment's thread
view the rest of the comments
[–] yoevli@lemmy.world 5 points 1 day ago (1 children)

They're referring to Firefox forks which are available only in the AUR and not from the main repos. In that case there can be a level of risk, but you can manually review the PKGBUILD of whatever package you end up installing to verify that it's not doing anything fishy when pulling sources.

Apart from that, you may also want to look into potentially installing a Flatpak. This still comes with some risk if it's not official (packaged and published by the original devs), but AFAIK there's at least some sort of vetting process for packages to be accepted into Flathub.

[–] erici@lemmy.sdf.org 0 points 1 day ago (1 children)

Yes, that's what I'm referring to. Thanks, I'll try Flathub. Manually reviewing the PKGBUILD is beyong my capabilities.

[–] TauZero@mander.xyz 2 points 1 day ago

For something like a browser, you don't even need to "install" at all. You only need to acquire the standalone/portable executable from the browser developer's official website. For example you get Waterfox from https://www.waterfox.net/download/. If you read the PKGBUILD, even if you can't see through all the potential malicious tricks you'll at least find that that's basically all it claims to do: download a binary from official website and put it somewhere. In this case "installing" means using root permissions to stick it in /usr/bin, so all users on the computer can run it. But since almost all home computers only have a single user, you can skip having to give it (temporary) root access by saving it in your home directory instead. I also run the binary inside its own Firejail so it doesn't even have access to my personal files. You are always trusting someone, be it the Arch maintainers, the AUR contributors, or the independent browser developers, but this way the least number of parties get the least number of permissions.